*Super Duper Urgent*
I need to finish a website by Wednesday, and need info, FAST!

Okay, so I need a quick tip. What is the best way to make sure that included pages aren't visited in an unintended way, that is very efficient and simple.

Like, if website.com/main/loginFormProcess.php is included in website.com/index.php?action=login, I want to prevent someone from going to website.com/main/loginFormProcess.php and setting fake cookies.

What I use is:

Code:

#TEST TO SEE IF THE USER IS TELLING THE TRUTH AND THE COOKIES AREN'T FAKE COOKIES!!!!! Mmmm.... cookies....
$connection = mysql_connect($host, $user, $pass) or die('Unable to connect to the K11 Redemption Tribal Tools Master Database. Please mail EchoXero and 1Freeman1 IN GAME to report the problem. Tell them:' . mysql_error());

//Select USERS Database
mysql_select_db($db) or die('Unable to Connect to the Users Database. Please mail EchoXero and 1Freeman1 IN GAME to report this problem. Tell them:' . mysql_error());

Something I picked up from phpBB (I don't know who first thought of/used this though) and used in frims was the following.

In your index.php

Code:

define('IN_FRIMS', true);

In your included files not to be accessed directly

Code:

if (!defined('IN_FRIMS')) die("Hacking attempt");

This is obviously more efficient than MySQL queries and will protect all included files that you apply it to, regardless of what they do.

polly-gone

Okay, so the whole website is included from index.php. So if I put the first one in index.php, and put the second one in all my other files, my other files become inaccessible unless you access then through index.php?

How reliable is this method?

-Nick

rvec

anyone can still include the files, but if they don't know what variable to set and what value to give they won't be able to use it. So if you use a random string as value, I think it's quite secure.

polly-gone

Sweet. Thanks so much. This is SOOOOOO much easier than a 30 line authentication at the top of every page.

-Nick

P.S. Second question... What are to cookies _utma, _utmb, etc that I keep noticing. Is that part of an authentication system?

And I want to have an authentication system that makes sure that people's 'level' cookies matches up with the level I have them set at in the database. For that, what should I use?

polly-gone

How can I make sure that people don't change their level? Should I define that too?

-Nick

500THPOST!GOME!

rvec

polly-gone wrote:

How can I make sure that people don't change their level? Should I define that too?